Preparing for the GDPR

On May 25, 2018 your business will face the greatest regulatory change in data privacy policy since the 1995 EU Data Protection Directive was enacted: the EU General Data Protection Regulation (GDPR). The European Union will begin enforcing the GDPR from May 25, 2018 in an effort to strengthen the security and protection of personal data of EU residents.

In keeping with our ongoing commitment to privacy and security, Segment will be ready for the GDPR before May 25, 2018, when the law goes into effect. But that’s not all. As the central record for your customer data, we are also committed to making it easier for you to comply with the GDPR.

Specifically, here is how we’ll support our customers:

An updated Data Processing Agreement (DPA) to reflect the requirements of the GDPR and to ensure compliant data transfer with storage outside the EU. Existing customers can enter into the updated data processing agreement via the opt-in process described here.

New product capabilities to help you be compliant when users request you delete or suppress their data.

Check out our blog to learn about our plan for GDPR readiness.

How will the GDPR impact your business? The GDPR has different requirements depending on how your business interacts with personal data. Companies can be data controllers, data processors, or in some cases, both a controller and a processor. Data controllers are businesses that collect their end users’ data and decide why and how that data is processed. On our marketing website, for example, Segment is considered a data controller. As a vendor, however, the more meaningful way Segment is impacted by the GDPR is as a data processor, as we are a company that helps our customers with the processing of their customer data.

In addition to damaging your customers’ trust, failure to comply with the GDPR can result in fines of €20 million or 4% of global annual turnover for the previous year (whichever is greater).

What are your responsibilities as a data controller?

If you collect data about EU residents and decide why and how those data are collected and processed, you may be considered a data controller under the GDPR. Data controllers are responsible for implementing adequate technical, organizational, and operational measures to ensure and demonstrate that all data collection and processing is performed in accordance with the GDPR, including entering into a relevant data processing agreement. Moreover, you must fulfill data subjects’ rights with respect to their data along the following principles:






Limitation and minimization of processing based on purpose

We recommend reading the full text of the GDPR to better understand these rights and seeking independent legal advice regarding your obligations under the GDPR. You can also check out publications by data privacy associations such as the International Association of Privacy Professionals (IAPP) for the latest news.

How can you prepare for the GDPR? In addition to seeking independent legal advice regarding your obligations under the GDPR, here are some tips to get you started:

Educate yourself on the provisions of the GDPR to understand how they may differ from your existing data protection obligations and practices.

If you don’t have dedicated data privacy or security personnel in-house, consider appointing a directly responsible individual (DRI) or small team to manage your company’s GDPR compliance efforts.

Create an up-to-date inventory of personal data that you collect and manage. -

For data flowing through Segment, you can start with the Overview page in your workspace to understand where you are collecting (Sources) and routing (Destinations) customer data. Next, visit the Schema page within each of your Sources to understand the type of data you’re sending to Segment.

Be sure to consider the data that is not flowing through Segment. You’ll need to make sure the same bar for compliance is met across your organization.

Create a list of vendors who you send data to (analytics tools, CRMs, email tools, etc.), and understand whether they are a controller or a processor. Then, determine what their obligations are, and make sure they have a plan to be ready for the GDPR.

Develop a plan for obtaining and managing consent in accordance with the GDPR or establish other lawful grounds for using personal data.

Determine if your company needs to appoint a Data Protection Officer (DPO). If you will be appointing a DPO, begin searching for the best person for the role.

Start preparing today! Becoming GDPR compliant takes time, and will require you to rethink how you collect and manage customer data. If you have any questions about the GDPR or want to learn how Segment can help you prepare, please let us know!

Over the coming weeks and months, we’ll be sharing details on our new product capabilities and our best practices to help you prepare for the GDPR. Check back here for updates.

How to opt into the Data Processing Agreement and EU Model Contract Clauses Segment offers a Data Processing Agreement (DPA) and EU Model Contract Clauses (MCC) as a means of meeting the adequacy and security requirements of the European Parliament and Council of the European Union's Data Protection Directive and General Data Protection Regulation (GDPR).

Our data processing agreement conveys our ongoing commitment to privacy and reflects the evolving needs of our customers.

In preparation for the GDPR, we have updated these terms to reflect the Regulation. Additionally, we have made these updates available in advance of the enforcement date to facilitate your compliance efforts and overall GDPR readiness when using Segment's services. These agreements are currently available in-app on all paid plans and will be made available shortly to all free plans as well. If you have a free plan, please check back regularly, and we'll notify as soon as these agreements are available to you.

To opt into the Data Processing Agreement and EU Model Contract Clauses:

Go to your Workspace.

Open the left side menu and select Settings.

Below End User Privacy, click Privacy & Security.

Below Data Processing Agreement, click Review.

Read the agreement and then click I Accept.

If you also wish to opt into the EU Model Contract Clauses:

Below EU Model Contract Clauses, click Review.

Read the agreement and then click I Accept.